Last week Cisco released a Prime License Manager (PLM) critical patch to patch a patch they released in November to address a SQL vulnerability—release date of the latest patch 12/21/2018. Although the initial patch resolved the vulnerability, it created other problems. By installing the patch, it disabled the install/upgrade functionality in the PLM user interface and disabled the backup/restore function in the PLM user interface. Cisco PLM supports a number of collaboration applications including but not limited to Cisco Unified CM, Cisco Unity Connection and Cisco WebEx Meetings Server.Cisco Patch Alert

The SQL vulnerability was discovered in the web framework code of Cisco Prime License Manager. The vulnerability could allow an unauthorized remote attacker to execute SQL queries on a whim.The SQL vulnerability was discovered in the web framework code of Cisco PLM.

Cisco posted the details on its advisories and alerts forum:

“The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.”

The latest patch maintains the secure fix from the November patch release and remedies the bugs resulting from it.